About Me

My photo
JHC Technology is a Service Disabled, Veteran-Owned, Small Business based in the Washington, DC Metro area. Our primary focus is to offer customized solutions and IT consulting to our Commercial and Government clients. Our experts have a broad experience delivering and managing Microsoft Enterprise applications and Cloud and Virtualization Solutions, as well as mobilizing Enterprise data.

Tuesday, May 11, 2010

Federal Cloud SharePoint Architecture

Problem: The Federal government and other large organizations (Financial and Medical Markets) want to take advantage of cloud infrastructure as a Service (IAAS). The most mature clouds on the market are Public IAAS providers like Amazon Web Services (AWS); however, due to security concerns and federal compliance requirements these clouds have become difficult to implement for the federal government. Some common reasons why Cloud infrastructure as a Service are difficult to adopt in Federal Government:

1. FISMA Compliant Cloud

2. Risk of failing Certification and Accreditation (C&A) for Low, Moderate, and/or High

3. Security concerns with the hypervisor

4. Pay as you go model for IAAS can be difficult to adopt because Federal Agencies are seeking Firm Fixed price contracts in the traditional RFP process.

I believe the major adoption issue with Cloud IAAS is centered on FISMA compliance and security concerns. A lot of the security concerns around Cloud Computing are not warranted and require agencies to adopt new policies and procedures to handle disruptive technologies. However, the FISMA compliance and data security classification levels are real concerns that public clouds have not been able to address in their current state. So how does the Federal government take advantage of cloud solutions?

Federal Government should take a practical approach to Cloud IAAS. One tactic Federal Agencies can take to make the adoption of IAAS easier is to find projects that deal with public data. Public facing websites are great projects for cloud adoption in the Federal government. Due to the nature of Public facing content, the data classification level for websites are considered low. However, the IAAS Cloud provider would still need to meet Federal FISMA compliance requirements. Cloud providers have been actively moving towards making their technologies and facilities compliant to these standards. Terramark Enterprise Cloud (Private Cloud) is certified for FISMA compliance and has achieved Moderate security level for Certification and Accreditation (C&A). That begin said, Terramark is also up to 10 times more expensive than other Cloud providers like Amazon. So it appears that FISMA compliance and C&A process comes with an expensive price tag. To complicate manners, Federal Agencies want enterprise class website that can provide features like content management, customizable business workflows, and LDAP connection to their directory services. The LDAP connection requires a secure VPN tunnel back to the agencies directory service, to allow agency users to user their credentials to sign into the solution, which raises the security requirements of the IAAS cloud solution. So how do you provide the Federal Government a cost effective Cloud Solution for Public Facing Websites that still meets the Federal compliance standards and technical requirements?

One way to tackle this problem is to provide a best of breed cloud solution that breaks down the security and technical requirements and assess which IAAS provider is appropriate for each aspect of the solution.

Use Case:

Federal Agency wants to migrate their public facing websites to SharePoint 2010 and host SharePoint 2010 on a cloud IAAS provider. The following requirements need to be taken into account:

• Cost effective

• Connect back to the Agencies LDAP environment for user authentication

• Moderate Security Certification and Accreditation

• FISMA Compliance

• Scalable and High Availability

• Disaster Recovery

• Anonymous Access to Public facing website

• Advance Content Deployment scenario with Authoring, Staging, and Production

Solution:

In order to meet the moderate security level, cost, FISMA, and technical requirements, we will use a multi-cloud solution utilizing Terremark enterprise cloud and Amazon Web Service. By separating the environments, the most critical security requirements only apply to areas of the solution that have data accuracy, data timeliness, and LDAP requirements.

Our design recommends to use Amazon Web Services for:

• Approved public content

• Read only copy of web site content

• Removes security model during Content deployment

• Removes user account information during Content deployment

• Anonymous access.

Terremark Enterprise Cloud is FISMA compliant and has obtained a moderate security Certification & Accreditation for multiple government agencies. Therefore, all areas of the solution that require user authentication and content generation will be deployed in Terremark enterprise cloud. However, based on the high cost of the Terremark Cloud solution, we don’t recommend using this environment for the public facing website which does not require the same level of security. Additionally, the Terremark enterprise cloud will have a secure connection to the federal agency’s LDAP.




1. Federal Agency LDAP – The solutions supports connectivity to the Federal Agency LDAP. Agency users will have access to the environment seamlessly using their agency username and password. Content authors will be able to perform user acceptance testing, creating new content, editing existing content, delete content, submit workflows, and approve/reject content. Additionally, the environment will be configured to integrate with LDAP profile data into SharePoint 2010 profile store.


2. Terremark Enterprise Cloud: Terremark private cloud is FISMA compliant and has obtained moderate security Certification and Accreditation.

a. Content Deployment: The solution uses an advance content deployment scenarios utilizing SharePoint 2010. The content deployment, using secure encryption, will deploy approved public content to the Amazon Web Service corresponding nodes. Content is authored in the Authoring Node and deployed to AWS Staging Node. Once content is verified in the Staging Node it is then push to the AWS Production Node. Content deployment jobs will be configured to remove security models and users account information.

3. Amazon Web service (AWS) Public Cloud: AWS delivers a set of services that form a reliable, scalable, and inexpensive computing platform in the cloud. AWS cloud platform will only contain a read only version of the data and will accept content deployment jobs from the Terremark private cloud. Additionally, the solution provides for disaster recovery, high availability, on demand scalability, and anonymous access to public content.

a. Active West Availability Zone: Handles all web traffic for the eastern United States. In the event that the Node fails, users will be redirected to west availability zone.

i. Production Node: The production node contains a highly scalable and elastic SharePoint 2010 solution in the cloud. The production node will be configured to allow anonymous access to public facing websites.

ii. Testing Node: Identical to the Production Node.

b. Active East Availability Zone: Handles all web traffic for the eastern United States. In the event that the Node fails, users will be redirected to west availability zone.

i. Production Node: The production node contains a highly scalable and elastic SharePoint 2010 solution in the cloud. The production node will be configured to allow anonymous access to public facing websites.

ii. Testing Node: Identical to the Production Node.

4. Elastic Load Balancer/DNS Solution: The Elastic Load Balancer/DNS solution distributes the user request between the Amazon Web Services west and east active zones, which creates a highly scalable and optimal SharePoint 2010 solution. If an active zone fails then the elastic load balancer/DNS solution distributes the requests to the other active zone; therefore, the solution provides real time disaster recovery.

5. Content Delivery Network: Delivers applications and Web content quickly and reliably.

1 comment:

  1. The case for Redshift, but for more mature databases, we have found that set transformations performed in the database are more efficient than those outside. Thus ELT has long been popular with VLDB developers.

    You should note that Hadoop clusters have traditionally performed massive data operations without the use of traditional commercial ETL tools. And of course Amazon is out to put everybody else out of business.

    aws training in chennai

    ReplyDelete